clients. For an unlimited user license, the maximum is 250 (which is the same as all other ASA models). ! dhcpd enable INSIDE dhcpd address 192.168.3.10-192.168.3.20 INSIDE dhcpd domain lab.local dhcpd lease 3200 dhcpd dns 8.8.8.8 8.8.4.4 ! If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain

information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface. dhcpd auto_config ! show dhcpd state show dhcpd binding show dhcpd statistics ! Cisco ASDM is a Java-based GUI tool that facilitates the setup, configuration, monitoring, and troubleshooting of Cisco ASAs. ! Cisco ASDM can be used to monitor and configure multiple ASAs that run the same ASDM version. ! copy tftp://192.168.137.1/asdm-647.bin disk0: disk0: ! http server enable http 192.168.3.0 255.255.255.0 INSIDE aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa local authentication attempts max-fail 3 aaa authorization exec LOCAL asdm image disk0:/asdm-647.bin asdm history enable ! The Cisco ASDM Home page displays important information about the ASA. Status information in the Home page is updated every 10 seconds. ! A network object name can contain only one IP address and mask pair. Therefore, there can only be one statement in the network object. Entering a second IP

address/mask pair will replace the existing configuration. ! A service object name can only be associated with one protocol and port (or ports). If an existing service object is configured with a different protocol and port (or

of numbered. ! Therefore an ACL would be required to permit traffic from a lower security level to a higher security level. ! Note: To allow connectivity between interfaces with the same security levels, the same-security-traffic permit inter-interface global configuration command is

required. To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface

unencrypted, use the same-security-traffic permit intra-interface global configuration command. ! ACLs on a security appliance can be used not only to filter out packets passing through the appliance but also to filter out packets destined to the appliance. ! The ASA divides the NAT configuration into two sections. The first section defines the network to be translated using a network object. The second section defines the

actual nat command parameters. These appear in two different places in the running-config. ! Note: The any keyword could be used instead of the mapped-ifc parameter. This allows the translation of an object between multiple interfaces with just one CLI

command. For example, nat (dmz, any) static 209.165.200.227 would allow any device on any internal network access to the DMZ server using the outside IP address. !